[JBoss JIRA] (SECURITY-703) Picketbox logs an ERROR on each failed login

Monday, 17 December 2012

     [
https://issues.jboss.org/browse/SECURITY-703?page=com.atlassian.jira.plug...
]

Stefan Guilhen closed SECURITY-703.
-----------------------------------

    Fix Version/s: PIcketBox_4_0_15.Final
       Resolution: Done

I've changed the log level of failed login attempts to DEBUG to avoid polluting the AS
logs with error messages. Users can still investigate failed logins by adding a
org.jboss.security category with level = DEBUG.

...
 Picketbox logs an ERROR on each failed login
 --------------------------------------------

                 Key: SECURITY-703
                 URL: https://issues.jboss.org/browse/SECURITY-703
             Project: PicketBox 
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
            Reporter: Thomas Heute
            Assignee: Stefan Guilhen
            Priority: Critical
             Fix For: PIcketBox_4_0_15.Final

 Picketbox logs an ERROR with a stacktrace on each failed login:
 See:
 catch (LoginException e)
 	   {
 		   // Don't log anonymous user failures unless trace level logging is on
 		   if (principal != null && principal.getName() != null)
                PicketBoxLogger.LOGGER.errorDuringLogin(e);
 		   authException = e;
 	   }
 09:57:30,100 ERROR [org.jboss.security] (http-/127.0.0.1:8080-6) PBOX000206: Login
failure: javax.security.auth.login.LoginException: Login failed for 
 	at
org.exoplatform.services.security.jaas.DefaultLoginModule.login(DefaultLoginModule.java:136)
[exo.core.component.security.core-2.5.0-CR1.jar:2.5.0-CR1]
 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_25]
 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[rt.jar:1.6.0_25]
 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[rt.jar:1.6.0_25]
 	at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_25]
 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
[rt.jar:1.6.0_25]
 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
[rt.jar:1.6.0_25]
 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[rt.jar:1.6.0_25]
 	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_25]
 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
[rt.jar:1.6.0_25]
 	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[rt.jar:1.6.0_25]
 	at
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408)
[picketbox-infinispan-4.0.13.Final-redhat-1.jar:4.0.13.Final-redhat-1]
 in
http://anonsvn.jboss.org/repos/picketbox/tags/4.0.14.Final/picketbox-infi...
 Failed login are expected from users and shouldn't be logged. This will seriously
pollute EPP 6 logs. 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006